gafaelfawr — Authentication & identity

Gafaelfawr provides authentication and identity management services for the Rubin Science Platform. It is primarily used as an NGINX auth_request handler configured via annotations on the Ingress resources of Science Platform services. In that role, it requires a user have the required access scope to use that service, rejects users who do not have that scope, and redirects users who are not authenticated to the authentication process.

Gafaelfawr supports authentication via either OpenID Connect (often through CILogon or GitHub).

Gafaelfawr also provides a token management API and (currently) UI for users of the Science Platform.

View on GitHub	applications/gafaelfawr Application template
Homepage	https://gafaelfawr.lsst.io/
Source	lsst-sqre/gafaelfawr
Related docs	DMTN-234: RSP identity management design DMTN-224: RSP identity management implementation strategy SQR-055: COmanage configuration for Rubin Science Platform SQR-069: Implementation decisions for RSP identity management
Type	Helm
Namespace	gafaelfawr
Argo CD Project	Project.infrastructure
Environments	base values Argo CD ccin2p3 values Argo CD idfdev values Argo CD idfint values Argo CD idfprod values Argo CD minikube values roe values Argo CD roundtable-dev values Argo CD roundtable-prod values Argo CD summit values Argo CD tucson-teststand values Argo CD usdf-tel-rsp values Argo CD usdfdev values Argo CD usdfint values Argo CD usdfprod values Argo CD

Guides

• Bootstrapping Gafaelfawr
  • Choose an identity provider
  • Assign scopes and admins
  • Enable database schema initialization
• Managing the database schema
  • Updating the database schema
  • Initializing the database
• Recreating Gafaelfawr service tokens
• Releasing GitHub organization data
• Troubleshooting
  • User has no access to services
  • COmanage enrollment fails after prompting for attributes
  • Viewing logs
• Gafaelfawr Helm values reference